A quick guide to PCI DSS v3.2

A quick guide to PCI DSS v3.2
0 Shares

By Natasja Bolton, Senior Acquirer Support

In order to assist you with navigating the updated standard we’ve prepared the following easy to reference Guide to PCI DSS v3.2. For a more in-depth review of PCI V3.2 we recommend reading the article PCI DSS v3.2 – What’s changed.

 

Guide to PCI DSS v3.2

Key Dates

PCI DSS v3.2Effective from:Now
PCI DSS v3.1Retired from:October 31, 2016

New Requirements

All new requirements are best practice until January 31, 2018

V3.2 Req No.Summary
APPLICABLE TO ALL
6.4.6Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.
8.3.1Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.
APPLICABLE TO SERVICE PROVIDERS
3.5.1Maintain a documented description of the cryptographic architecture, including details of all algorithms, protocols, and keys used, description of the key usage for each key, inventory of any HSMs and other SCDs used for key management.
10.8Implement a process for the timely detection and reporting of failures of critical security control systems, including firewalls, IDS/IPS, FIM, anti-virus, access controls and audit logging.
10.8.1Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls to include restoring security functions, recording duration, root cause, remediation required, risk assessment and prevention of reoccurrence.
11.3.4.1If segmentation is used,

Confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.

12.4.1Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program, including overall accountability for maintaining PCI DSS compliance, defining a charter for a PCI DSS compliance program and communication to executive management
12.11Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover: daily log reviews, firewall rule-set reviews, applying configuration standards to new systems, responding to security alerts, change management processes.
12.11.1Maintain documentation of quarterly review process including documented results of the reviews, review and sign-off of results by responsible personnel.

Updates to PCI DSS Appendices

AppendixStatus in v3.2Usage
Appendix A1No ChangeAdditional PCI DSS Requirements for Shared Hosting Providers
Appendix A2NewAdditional PCI DSS Requirements for Entities using SSL/early TLS

All testing procedures relating to SSL/early TLS have been moved from each of requirements 2.2.3, 2.3 and 4.1 to Appendix A2.

This appendix applies to entities using SSL/early TLS as a security control to protect the CDE and/or CHD

Appendix A3NewDesignated Entities Supplemental Validation (DESV)

Additional assessment and validation applicable only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements

Appendix BNo ChangeCompensating Controls

Explanation of the criteria for and usage of compensating controls

Appendix CNo ChangeCompensating Controls Worksheet

Worksheet for defining compensating controls

Appendix DNo ChangeSegmentation and Sampling of Business Facilities/System Components

Information on the effect of network segmentation and sampling on the scope of a PCI DSS assessment

New more flexible requirements

PCI DSS v3.1PCI DSS v3.2
1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only “established” connections are allowed into the network.)1.3.5 Permit only “established” connections into the network.

 

1.4 Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network.

 

1.4 Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE.
3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN.

 

3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN.

Removed Requirements

RequirementReason for Removal
1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment.This requirement’s intent is met through other requirements in 1.2 and 1.3

 

Clarifications of intent and implementation

The list below lists the key clarifications, updates and amendments to specific requirements and/or their associated guidance.  Please refer to the PCI SSC Summary of Changes from PCI DSS Version 3.1 to 3.2 for the complete list of updates to terminology, examples and guidance notes.

RequirementV3.2 Req No.TopicComment
MultiplePayment ApplicationsAdditional references to / inclusion of payment applications.  Testing of payments applications is explicitly called out in many requirements, including Requirement 2.1 (change vendor defaults), Requirement 3.4.d (Render PAN unreadable anywhere it is stored: examine payment application logs), Requirement 6.2 (install critical patches within one month).
1.1.6Firewall & Router Configuration StandardsNow requires documentation of approval for use of all services, protocols, and ports allowed as well as business justification.
1.2.1. 1.3Restricting connections between untrusted networks and the CDEUpdates guidance clarifying intent of requirements as requirement 1.3.3 has been removed (see above)
3.4.1Using disk encryption to render stored cardholder data unreadableUpdated to confirm that this requirement applies in addition to all other PCI DSS encryption and key-management requirements (i.e. Requirements 3.5 and 3.6)
3.6.1.bCryptographic Key Management ProcessesUpdated testing procedure and guidance in relation to procedures for the generation of strong cryptographic keys
6.4.4Change Control Processes and ProceduresClarification to requirement, testing procedures and guidance to ensure that test data and accounts must be removed from system components before they become active and /or go into production
6.4.5Change Control Processes and ProceduresUpdated guidance confirming the intent is for change control procedures to apply to all system changes, including hardware or software updates and installation of security patches.
6.5Software Development ProcessesUpdate to software developer training requirements; training must be up to date and at least annual
8.1.5User identification managementOrganisations are now required to manage the IDs used by any third party (not just vendors, as in v3.1) to support, manage or maintain their system components via remote access.
8.3Multi-factor AuthenticationAll references to ‘two-factor authentication’ have become ‘multi-factor authentication’
9.1.1Facility entry controlsUpdated to confirm that the requirement is for either video cameras or access control mechanisms (or both) to be used to monitor individual physical access
11.2.1Quarterly internal vulnerability scansClarified requirement to ensure that all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1).
11.3.4.cSegmentation penetration TestingUpdates to confirm that a qualified internal resource or qualified external third party must be used to perform segmentation penetration testing, as is required by all other penetration testing requirements.
11.5.aChange-DetectionRemoved statement in testing procedure: ‘within the CDE, as in-scope systems and hence critical system files may be outside of the CDE itself.
12.6Security Awareness ProgramClarified that the intent of security awareness program includes awareness of cardholder data policy and procedures
12.8.1Manage Service ProvidersUpdated requirement requiring that the list of service provider must include a description of the service provided.
12.10.2Incident Response PlanAnnual incident response plan testing now requirement inclusion of all elements of the plan as specified in requirement 12.10.1.

 

 

For more information and full details of the PCI DSS v3.2 refer to:

PCI Data Security Standard version 3.2

PCI SSC Summary of Changes from PCI DSS Version 3.1 to 3.2

PCI SSC v3.2 Blog post

 

Webpage URL

Find out more about our PCI DSS compliance services by clicking the button below

LEARN MORE